CVE-2026-59236 in Prospero Flow CRMinformação

Sumário

de MITRE • 15/07/2026

Authorization Bypass Through User-Controlled Key (CWE-639) in the Excel import handlers (CustomerImport, LeadImport, ProductImport) in Roskus Prospero Flow CRM before 5.14.0 allows a remote, authenticated user of any role or company to create customer, lead, and product records inside another company's tenant via a spreadsheet whose company_id column points to the victim tenant, uploaded to POST /customer/import/excel/save, which maps company_id directly from the file and performs no check that it matches the authenticated user's company.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Responsável

Secur0

Reservar

03/07/2026

Divulgação

15/07/2026

Moderação

aceite

Entrada

VDB-379213

CPE

pronto

EPSS

0.00000

KEV

não

Atividades

baixo

Fontes

Interested in the pricing of exploits?

See the underground prices here!